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Abstract. We examine a bidirectional prepositional dynamic logic (PDL) for finite and 
infinite message sequence charts (MSCs) extending LTL and TLC~ . By this kind of 
multi-modal logic we can express properties both in the entire future and in the past 
of an event. Path expressions strengthen the classical until operator of temporal logic. 
For every formula defining an MSC language, we construct a communicating finite-state 
machine (CFM) accepting the same language. The CFM obtained has size exponential 
in the size of the formula. This synthesis problem is solved in full generality, i.e., also 
for MSCs with unbounded channels. The model checking problem for CFMs and HMSCs 
turns out to be in PSPACE for existentially bounded MSCs. Finally, we show that, for 
PDL with intersection, the semantics of a formula cannot be captured by a CFM anymore. 



1. Introduction 

To make a system accessible to formal analysis and verification techniques, we require 
it to be modeled mathematically. In this regard, automata-based models have been widely 
used to describe the behavior of a system under consideration. A natural model for fi- 
nite processes that exchange messages via FIFO-channels are communicating finite-state 
machines (CFMs) [BZ83 . In a CFM, each process is modeled as a finite automaton that 
performs send and receive actions and, in doing so, exchanges messages with other processes 
via order-preserving communication channels. One single run of a CFM can be described by 
a message sequence chart (MSC). MSCs are an important common notation in telecommu- 
nication and are defined by an ITU standard [ITU96J. An MSC has both a formal definition 
and a comprehensible visualization. 
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Once we have an automata model A of a system defining a set L(A) of possible execu- 
tions, the next task might be to check if it satisfies a requirements specification p, which 
represents a set L(p) of (desired) behaviors. Verification now amounts to the model- checking 
question: do all possible behaviors of A satisfy tp, i.e., do we have L(A) C L{tp)l Many 
concrete instances of that problem have been considered in the literature |CGP00| . The 
original, and most popular, ones are finite automata, Kripke structures, or Biichi automata 
as system model, and temporal logics such as LTL |Pnu77| and CTL [CE81] as specification 
language. It is well-known that, for all these choices, the corresponding model-checking 
problem is decidable. 

When we move to the setting of CFMs, which, due to a priori unbounded channels, 
induce infinite-state systems, model checking becomes undecidable. Meenakshi and Ra- 
manujam [MR04J showed undecidability even for very restrictive temporal logics (their 
results transfer easily from Lamport diagrams to MSCs). One solution is to put a bound 
on the channel capacity. In other words, the domain of behaviors is restricted to existen- 
tially B-bounded MSCs, which can be executed without exceeding a fixed channel bound B. 
In [PelOOt IMMOTI IOMSZ021 IGKM06J . the model-checking problem was indeed tackled suc- 
cessfully for several logics by using this restriction and following the automata-theoretic 
approach: (1) a formula (p from a temporal logic or monadic second-order logic is trans- 
lated into a machine model A^, } b that recognizes those models of <p that are existentially 
-B-bounded; (2) it is checked whether every existentially -B-bounded behavior of the system 
model is contained in the language of A^^b- 

But on the other hand, we may apply temporal logic in the early stages of system 
development and start with specifying formulas to exemplify the intended interaction of 
the system to be. If so, we would like to synthesize a system model from a formula that 
captures precisely those behaviors that satisfy the formula. In other words, we ask whether a 
temporal-logic formula is realizable, i.e., whether the derived system is consistent and shows 
any reasonable behavior at all. Once a system is synthesized directly from its specification, 
it can be assumed to be correct a priori, provided the translation preserves the semantics 
of the specification. 

Though the assumption of bounded channels leads to the decidability of the model 
checking problem, it does not seem natural to restrict the channel size of the desired system 
in advance, especially when one is interested in the synthesis of a system from a specification. 
Despite the complexity of MSCs, we will provide in this paper a linear-time temporal logic 
for message-passing systems and solve its realizability problem in its full generality, i.e., 
under the assumption of a priori unbounded channels. 

Results from [BL06, BK08] suggest to use an existential fragment of monadic second- 
order logic (EMSO) as a specification language. A formula from that fragment can be 
translated into a CFM that precisely recognizes the models of the formula. This result 
holds without channel restriction. In this paper, we basically follow the approach from 
[BL061 IBK08| . but we propose a new logic: propositional dynamic logic (PDL) for MSCs. 
Our logic will prove useful for verification, as it is closed under negation and allows us to 
express interesting properties in an easy and intuitive manner. Like EMSO, but unlike full 
monadic second-order logic, every PDL formula (p can be effectively translated into a CFM 
Aip whose language is the set of models of tp. This synthesis step is independent of any 
channel bound B and would not become simpler if we took some B into account. The size 
of the resulting CFM is exponential in the size of ip and in the number of processes. Note 
that, by [BL06, BK08], EMSO is expressively equivalent to CFMs. Moreover, the set of 
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CFM languages is not closed under complementation. As, on the other hand, PDL does 
not impose any restriction on the use of negation, we obtain that PDL is a proper fragment 
of EMSO although this is not obvious. 

The model checking problem of CFMs againgst PDL formulas can be decided in poly- 
nomial space for existentially -B-bounded MSCs, following a standard procedure and using 
the translation of (p into a CFM A v . Our PSPACE algorithm meets the lower bound that 
is imposed by the complexity of LTL model checking for finite-state systems. We also show 
PSPACE completeness of the model checking problem of high-level MSCs (HMSCs) against 
PDL formulas (where the bound B is given implicitly by the HMSC). HMSCs are more 
abstract and restrictive than CFMs, but can likewise be used as a model of a system. 

The final technical section considers an enriched logic: iPDL (PDL with intersection). 
This extension seems natural to strengthen the expressive power of the formulas. But 
adapting a proof technique from colored grids, we show that iPDL is too strong for CFMs, 
i.e., there is an iPDL formula (p such that no CFM accepts precisely the models of ip. 

Related Work. For MSCs, there exist a few attempts to define suitable temporal log- 
ics. Meenakshi and Ramanujam obtained exponential-time decision procedures for sev- 
eral temporal logics over Lamport diagrams (which are similar to MSCs) [MROQl IMRQ4] . 
Peled |PelOO] considered the fragment TLC - of the temporal logic TLC that was intro- 
duced in [APP95] . Like their logics, our logic is interpreted directly over MSCs, not over 
linearizations; it combines elements from [MR04] (global next operator, past operators) and 
[PelOO] (global next operator, existential interpretation of the until-operator) . In particular, 
however, it is inspired by dynamic LTL as introduced by Henriksen and Thiagarajan first 
for words [HT99]. There, standard LTL is extended by indexing the until operator with 
a regular expression to make it more expressive. The same authors applied dynamic LTL 
also to Mazurkiewicz traces but reasoned only about the future of an event in the same 
process |HT97] . In contrast, we might argue about the whole future of an event rather than 
about one single process. Moreover, we provide past operators to judge about events that 
have already been executed. We call our logic PDL because it is essentially the original 
propositional dynamic logic as first defined by Fischer and Ladner [FL79] but here in the 
framework of MSCs. Although PDL can be seen as an extension of Peled's TLC - , our 
decision procedure is rather different. Instead of translating a PDL formula ip into a CFM 
directly, we use an inductive method inspired by [GK031 IGK07 . GK10]. As TLC - is a 
fragment of PDL, we actually generalize the model checking result from [PelOO] . 

Outline. In Section [21 we define message sequence charts, the logic PDL, and CFMs. We 
continue, in Section El with several useful constructions for CFMs. Sections [H and [5] deal 
with the translation of PDL formulas into CFMs. The model checking problem is tackled 
in Section [6] before we conclude, in Section [71 with the result that PDL with intersection 
(iPDL) cannot be implemented in terms of CFMs. 

A preliminary version of this paper appeared as [BKM07L 

2. Definitions 

The communication framework used in our paper is based on sequential processes that 
exchange messages asynchronously over point-to-point, error-free FIFO channels. Let V be 
a finite set of process identities which we fix throughout this paper. Furthermore, let Ch = 
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{{Pi q) G"P \ P ¥" q} denote the set of channels. Processes act by either sending a message, 
that is denoted by p\q meaning that process p sends to process q, or by receiving a message, 
that is denoted by ptq, meaning that process p receives from process q. For any process 
p £ V, we define a local alphabet (set of event types on p) S p = {p\q,plq \ q £ V \ {p}}, 
and we set £ = (Lgp ^V 

2.1. Message sequence charts. A message sequence chart depicts processes as vertical 
lines, which are interpreted as top-down time axes. Moreover, an arrow from one line to 
a second corresponds to the communication events of sending and receiving a message. 
Formally, message sequence charts are special labeled partial orders. To define them, we 
need the following definitions: A T,-labeled partial order is a triple M = (V, <,A) where 
(V, <) is a partially ordered set and A : V — > £ is a mapping. For v £ V with A(t> ) = pOq 
where 9 £ {!, ?}, let P(v) = p denote the process that v is located at. We set V v = P~ 1 (p). 
We define two binary relations proc and msg on V: 

• (v,v') £ proc iff P(v) = P(v'), v < v' , and, for any u £ V with P(v) = P(u) and 
v < u < v' , we have v = u. The idea is that (v,v') € proc whenever v and v' are two 
consecutive events of the same process. 

• (v, v') € msg iff there is a channel (p, q) with X(v) = plq, X(v') = q?p, and 

|{n | A(u) = plq, u < v}\ = \{u \ X(u) = q?p, u < v'}\ . 

Here, the idea is that v is a send event and v' is the matching receive event. Since we 
model reliable FIFO-channels, this means that, for some i and some channel (p,q), v is 
the i send and v' the i receive event on channel (p, q) . 

Definition 2.1. A message sequence chart or MSC for short is a S-labeled partial order 
(V, <, A) such that 

• < = (proc U msg)*, 

• {u £ V | u < v } is finite for any v € V, 

• V p is linearly ordered for any p 6 V, and 

• | A -1 (p!g) | = \X~ 1 (q?p)\ for any (p,q) £ Ch. 
We refer to the elements of V as events or nodes. 

If (V, <, A) is an MSC, then proc and msg are even injective partial functions, so v' = 
proc(f) as well as v = proc _1 (w') are equivalent notions for (v,v') £ proc; msg(f) and 
msg _1 (u) are to be understood similarly. 

An example MSC with three processes is pictured as a diagram in Figure QJb) on page [71 
The processes are visualized as vertical lines going downwards and messages as horizontal 
directed edges between process lines. 

2.2. Propositional dynamic logic. Path expressions tt and local formulas a are defined 
by simultaneous induction. This induction is described by the following rules 

it ::= proc | msg | {a} \ tt; tt \ it + tt \ tt* 
a ::= tt \ a \ a V a \ ->a | {tt) a \ (vr) _ a 

where a ranges over the alphabet E. 
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Local formulas express properties of single nodes in MSCs. To define the semantics of 
local formulas, let therefore M = (V, <, A) be an MSC and v a node from M. Then we 
define 

M, v \= a «=*> X(v) = a for a G S 

M, v \= ol\ V 02 <*=>■ M, v \= a\ or M, 77^02 

M, u |= -.a <=^ M,v ^ a 

The idea of forward-path modalities (ir) a indexed by a path expression tt is to perform a 
program tt and then to check whether a is satisfied. Thereby, tt is a rational expression 
over proc and msg describing paths in a MSC but allows also for tests {a} in following the 
paths defined by tt. Formally, the semantics of forward-path, formulas (tt) a is given by 

M, v \= (proc) a -*=>■ there exists u'eF with (v, v ) G proc and M, v \= a 

M, v \= (msg) a -*=/• there exists u'eF with (y, v ) G msg and M, v \= a 

M, v (= {{a}) /3 ^^ M, v \= a and M, v \= f3 

M,v \= {tti;tt 2 ) a «=>• M,v \= (tti) {tt 2 ) a 

M, V (= ("71"! + TT2) a -4=>- M , t> |= (7Tl) a V (7T2) « 

M, v \= (tt*) a <==^ there exists n > with Af, u |= ((7r)) n a 
The semantics of backward-path, formulas {tt)~ a is defined similarly: 

M,v \= (proc) - a <*=>■ there exists v ' G V with (y ,v) G proc and M, v \= a 

M,v \= (msg) - a <^=> there exists v G V with (v',v) G msg and M, v (= a 

M, w (= ({a}) -1 /3 ^^ M.u^aandM,!)^ 

M, f |= (vri;7r 2 ) - a «=>• M,x; |= (7Ti)~ (7T 2 )~ a 



a 



M, v (= (tti + vr 2 ) X a ^^ M,u|=(iri) x a V (vr 2 ) X 

M,u (= (vr*) -1 a ^^ there exists n > with M,v \= ((vr) -1 ) n a 

Semantically, a local formula of the form (({a}; (proc+msg))*)/3 corresponds to the until 
construct aUfi in Peled's TLC~ [PclOO . In TLC~, however, one cannot express properties 
such as "there is an even number of messages from p to q" , which is easily expressible in 
PDL. 

Global properties of an MSC are Boolean combinations of properties of the form "there 
exists a node satisfying the local formula a" . These global properties are expressed by global 
formulas <p whose syntax is given by 

ip ::= Eq [ Aa \ tp V tp \ p> A tp 

where a ranges over the set of local formulas. The semantics is defined by 

M \= Ea ^=>- there exists a node v with M , v \= a 

M (= Aa ^=>- M, v \= a for all nodes v 

M (= px V ip 2 ^=> M (= <px or M (= v? 2 

M (= </Ji A <^2 <^^ M (= </Ji and M (= 992 
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Note that our syntax of global formulas does not allow explicit negation. But since we 
allow existential and universal quantification as well as disjunction and conjunction, the 
expressible properties are closed under negation. 

Example 2.2. For i € V, we put Pj = \J j^pj^-j v i? J), i- e -> M,v \= Pi iff P(v) = i for 
every MSC M = (V, <, A) and v &V. Now the global formula 

V7] = H p i — y ((proc*;msg;proc*;msg) Pj)) 

states that process j can always be reached from process i with exactly two messages (using 
an intermediate process in between). 

Definition 2.3. The set of subformulas sub(a) of a local formula a and the set of subfor- 
mulas sub(-7r) of a path expression n are defined by synchronous induction as follows: 

sub(proc) = sub(msg) = 

sub({a}) = sub(a) 

sub(-7n; 7T2) = sub(-7ri + -^2) = sub(7ri) U sub^) 

sub(-7r*) = sub(7r) 

and 

sub(<r) = {a} for a € £ 
sub(-ia) = {-<&} U sub(a) 
sub(a V (3) = {a V /?} U sub(a) U sub(/3) 
sub((7r) a) = {(it) a} U sub(-7r) U sub(a) 
sub((7r}~ a) = {(ir}~ a} U sub(-7r) U sub(a) 

Thus, in addition to the obvious definition, a subformula of a path expression is any of 
the local formulas occurring in the path expression as well as any subformula of these local 
formulas. In particular, contrary to what one might expect, a rather long local formula like 
ip = (proc; {a}; proc; {a}; proc; {a}; proc; {a}} a has only two subformulas, namely ip itself 
and a. The number of subformulas of a is bounded by the length of a, but the length of a 
cannot be bounded in terms of the number of subformulas. 

Note that a path expression ix is a regular expression over the following alphabet 
{proc,msg, {«i}, . . . , {a„}} for some local formulas a{. The size s(ir) of ir is defined by 
s ({ a }) = s(proc) = s(msg) = 1, s(iri + ir 2 ) = s(iri;ir 2 ) = s(iri) + s(ir 2 ) and s(ir*) = s(tt) 
(i.e., it is the number of occurrences of {a}, msg, and proc in the regular expression ir). 
Note that the size of the path expression {a} is 1, independent from the concrete form of 
the local formula a. 

2.3. Communicating finite-state machines. One formalism to describe (asynchronous) 
communication protocols are communicating finite-state machines (CFM for short) [BZ83. 
They form a basic model for distributed algorithms based on asynchronous message passing 
between concurrent processes. Thus, the basic actions performed are just sending and 
receiving of messages (i.e., letters from S). 

A CFM A consists of a collection of finite automata A p , one for each process p € V . 
The automaton A v performs the actions of process p, i.e., the send events p\q and the receive 
events p?q for all q ^ p. Moreover, the single automata synchronize by control messages 
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(a) A CFM over {Client, Server, Interface}. (b) An infinite MSC. 

Figure 1: A CFM and an infinite MSC accepted by it. 



from some finite set C. Whenever A p sends a message to A q , then A p and A q share some 
common control message c G C . The final states of a CFM are defined globally and the 
local components of a final state have either to be repeated infinitely often by the process 
or the process terminates in such a local state. 

We extend the alphabet E for later purposes to E x {0, l} n for some n G N - the 
classical model is obtained by setting n = in the below definition (in which case we write 
A = (C,(A p ) p€V ,F).) 

Definition 2.4. A communicating finite-state machine (or, simply, CFM) is a structure 
„4 = (C, n, (A p )p£-p, F) with n G N where 

• C is a finite set of message contents or control messages, 

• A p = (S p , — > p , i p ) is a finite labeled transition system over the alphabet E p x {0, 1}™ x C 
for any p G V (i.e., — > p C S p X (E p x {0, 1}™ x C) x Sp) with initial state t p € Sp, 

• F C n»e-p <Sp * s a se t OI " global final states. 

Now let ,4 be a CFM as above, M = (V, <, A) be an MSC, and c : V -> {0, 1}™. A ran 
o/ ,4 on (M, c) is a pair (p, //) of mappings p : V -» UpG"P *^p ana - A 4 : ^ — ^ C such that, for 
any v £ V, 

(1) /i(v) = /j,(msg(v)) if msg(u) is defined, 

(2) (p(proc _1 (w)), A(w), c(v) , fj,(v) , p(v)) G ~ ^p(u) if proc~ 1 (w) is defined, and 
(i p , X(v) , c(v) , /j,(v) , p(v)) G — >p(t,) otherwise. 

In order to define when the run (p, p) is accepting, we will use Biichi-conditions on each 
process. For this, one is usually interested in the set of states that appear infinitely often. 
But since, even in an infinite MSC, some of the processes may execute only finitely many 
events, the set of states appearing infinitely often is here generalized to the set of states 
that appear cofinally: Let cofin p (p) = {s G S p \ \/v G V p 3v' G V p : v < v ' A p(v') = s}. 
Then the run (p, p) is accepting if there is some (s p ) p< =-p G F such that s p G cofin p (p) for all 
p G V. The language of A is the set L(A) of all pairs (M,c) that admit an accepting run. 

Example 2.5. Consider the CFM illustrated in Figure QJa) . A client (process 1) commu- 
nicates with a server (process 2) sending requests (message content r) to receive permission 
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to send a message to the interface (process 3). If the server refuses permission (message 
content x), the request is repeated. But if permission is given (message content ■/), then the 
client sends a message c to the interface. Now the client can start again to send requests to 
the server. Here, the only accepting state is (S3, to, qo). Thus the client can either stop after 
sending a message to the interface (and all other processes also stop) or the client has to 
send infinitely many messages to the interface, i.e., every request of the client is eventually 
followed by a communication with the interface. 

The MSC pictured in Figure QJb) is one possible behavior of the CFM. Moreover, any 
MSC M accepted by this CFM satisfies the formula 93^3 from Example | 



3. Constructions of CFMs 

In this section, we present some particular CFMs and constructions of CFMs. The 
purpose is twofold: the results will be used later, and the reader shall become acquainted 
with the computational power of CFMs. Hence, some readers might choose to skip the 
details of this section in a first reading. 

3.1. Intersection. Here, we show that the intersection of languages accepted by CFMs can 
again be accepted by a CFM. Since the acceptance by a CFM is defined in terms of a Biichi- 
condition, we can adopt the flag construction [Cho74| from the theory of word automata with 
Buchi-acceptance condition (cf. proof of Lemma 1.2 in [Th o90| ) . The additional problem 
we face here is the interplay between different processes. 

The basic idea of our construction is as follows (for two CFMs A 1 and A 2 ): each local 
process guesses an accepting global state f 1 = (fp) p gp of A 1 and f 2 = (f 2 ) p( z-p of A 2 . 
Then, locally, process p simulates both CFMs A 1 and A 2 and checks that /* and f 2 are 
visited infinitely often (here, one relies on Choueka's flag construction). Hence, the set of 
local states of process p equals F 1 x F 2 x Sp~ x S 2 x {0, 1, 2}. A global state is accepting if 
all the guesses locally made coincide and if the local processes accept according to the flag 
construction. 

Recall that the set of accepting states F 1 is a set of tuples, its maximal size is therefore 
I! -p \Sl\. Thus, the intersection of two CFMs with s local states per process can result in 

a CFM with s 2 ^ ■ s 2 ■ 3 = s ^^ many local states per process. 

Now suppose that F 1 and F 2 are direct products, i.e., F 1 = YipeV^p ^ or some se t s 
Fp 1 Q Sp and, similarly, F 2 = \\ p& -pF 2 for some sets F 2 C S 2 . Then, in the above 
construction, it is not necessary for the local guesses to coincide - which makes them 
superfluous (cf. Proof of Lemma 1331 below). Thus, in this case, the set of local states of 
process p will just be Sp x S 2 x {0, 1,2}, in particular, it will not be exponential in the 
number of processes. 

To use this simplification of the construction, we introduce the following notion. 

Definition 3.1. Let F C n»e7 > '-V ^ ne ^ n< ^ ex of F is the least number n such that there 
are sets F* C S p for p G V and 1 < i < n with F = Ui<j< n Yipev -^p- 
The index of a CFM is the index of its set of accepting states. 

Clearly, the index of a CFM is bounded by s' where s is the maximal size of a set 
of local states S p . To see that it can indeed be quite large, let V = S p = [n] for all p G V 
(where we let [n] = {1, . . . , n}). Furthermore, let F be the set of all tuples (s p ) pg p such that 



PROPOSITIONAL DYNAMIC LOGIC FOR MESSAGE-PASSING SYSTEMS 



{s p | p G V} = [n], i.e., the set of surjections from [n] onto [n]. Hence F contains n! many 
elements. Any two of them differ in at least two positions. Hence the index of F equals its 
size and is exponential in n and therefore in \P\. Despite this exponential example, we will 
encounter only small indices in our constructions. 

Lemma 3.2. Forl<i<m, let A i = {C\ n, (S p , -^, t p ) peV ,F i ) be CFMs of index 1. Then 
there exists a CFM A of index 1 that accepts (M,c) with M an MSC and c : V — > {0, l} n 
iff it is accepted by A 1 for all i G [m] . 

The set of messages of A is Y\ie\ m ] C % and the set of local states of process p is 

{o,i,..., m} xn ieH s;. 

Proof. Since F l has index 1, there exist sets F p C S p with F % = Yl p( zj> F p . 

The idea of the proof is that A will simulate all the machines A 1 in parallel. In ad- 
dition, it checks that, for each p G V and i G [m], some state from F p is assumed cofi- 
nally (i.e., infinitely often or, if process p executes only finitely many events, at the last 

event from p). Formally, we set i v = < ' p ' p p ' p l£ " p and 

I (0, Lp, . . . , l™) otherwise 

F = Uper ({ m i x n ie H 5 'p)- Furthermore, (a, (s 4 ) ie[m] ) ' ' 6[ml > p (a', (s9 i6[m] ) with 

bi G C l is a transition of A iff 

(1) Si ' l ) ps'i is a transition of A 1 for all i € [m] 
m if Si G F p for all i € [m] 

if a = m and Si ^ Fl for some i G [m] 

a + 1 if a < m, s a +i G i^ +1 and Sj ^ F* for some i G [m] 
^ a otherwise. 

Recall the classical flag construction for w-word automata. There, the value of the counter a 
indicates that the composite machine waits for an accepting state of the simulated ma- 
chine a + 1; a value m indicates that all simulated machines went through some accepting 
states. Here, we do the same. But, in addition, if all component states of the composite 
machine are accepting, then we set the counter value directly to m. This is useful when 
process p executes only finitely many events. Then, at its final event v, all the component 
machines have to be in some accepting state. For processes executing infinitely many events, 
this is of no importance. □ 

Proposition 3.3. For i G [m], let A i = (C\n, (S l p ,^ i p ,L p ) p( zp,F i ) be a CFM of index £i. 
Then there exists a CFM A of index IIi<i<m^ that accepts (M,c) with M an MSC and 
c : V — > {0, l} n iff it is accepted by A 1 for all i G [m]. 

The set of messages of A is Iliefml ^ % ■ Moreover, the set of local states of process p is 
{tp} U ({0,1,2,... ,m} x n i6[m] S p x IL eH fcD- 

Proof. Since the index of A 1 is £i, its language is the union of languages L\,...,Ly that 
can each be accepted by a CFM of index 1. The language in question is therefore given 
by Ujen [til Hie [ml Lfr By Lemma [372]. the intersection n«e[ m ] ^ can 1 ° e accepted by a 
CFM of index 1 with set of local states {0, 1,2,..., m} x ]~Iie[ml &p x 01- ^^e disjoint union 
of all these CFMs (together with new local initial states) accepts the language in question; 



(2) a' 
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its set of local states equals {l p } U ({0, 1,2,..., m} x IlieM ^r> x riiefml M ) anc ^ ^ s index 
is rii<i<m &i as claimed. D 

3.2. Infinitely running processes. For an MSC M = (V, <, A), let Inf(M) C Ch denote 
the set of those channels (p, q) that are used infinitely often, i.e., Inf(M) = {{p, q) G Ch | 
A _1 (p!g) is infinite}. From a set / C Ch, we want to construct a CFM of index 1 that 
checks whether Inf (M) = I. 

Lemma 3.4. Let I C Ch. There exists a CFM A± of index 1 with three local states per 
process and one message that accepts an MSC M iff Inf(M) C /. 

Proof. The sets of local states are given by S p = {0, 1, 2} for any p G V, the state is locally 

initial. The only control message is 1. Then we set a — '-^- p b iff (a = b and a uses a channel 
from I) or (a < b and a does not use a channel from /) or a = b = 1. Then state indicates 
that no channel of Ch\J has been used, 1 indicates that some channel from Ch\J has been 
used and that some channel will be used, and 2 denotes that some channel from Ch \ / has 
been used but none will ever be used in the future. Hence, process p uses the channels from 
Ch \ / only finitely often iff it can visit or 2 cofinally. Setting F = Yl p€ p{0, 2} therefore 
finishes the construction of the desired CFM. □ 

Lemma 3.5. Let L C Ch. There exists a CFM B\ of index 1 with -v ' local states per 
process and one message that accepts an MSC M iff I C Inf(M). 

Proof. For p £ V let S p = {0, l} Sp and set C = {1}. The locally initial state i p G S p maps all 

r € S p to 0. Then we set g — '—> g' for g, g' G S p and a G S p iff g'(r) = I 

I 1 — g{T) otherwise 

for all t (zTip. Thus, the local process p counts modulo 2 the number of occurrences of any 

local action. The channel (p, q) is used infinitely often iff the following two properties hold: 

• Process p visits a state g p with g p {p\q) = cofinally. 

• Process q visits a state g q with gq^qlp) = 1 cofinally. 

Therefore, a global state {g p ) P ev is final (i.e., belongs to F) iff, for any (p, q) G /, we have 
9pipk) = and g g {q1p) = 1. □ 

Proposition 3.6. Let L C Ch. There exists a CFM B of index 1 with 3 • 3 • 4' local states 
per process and one message that accepts an MSC M iff L = Inf(M). 

Proof. Follows immediately from Lemmas 13.41 13.51 and 13.21 □ 

3.3. The color language. In this section, we build a CFM that accepts some "black/white 
colored" MSCs. The aim is that whenever a coloring is accepted, then any infinite path in 
the MSC has infinitely many color changes (cf. Cor. 13. 9[) . This language will be the crucial 
ingredient in our handling of forward-path formulas of the form {tt) a (cf. Section [4. 2[) . 

For the time being, we proceed as follows: first, we define a language Col whose elements 
are colored MSCs (M,c). Prop. [3771 shows that this language can be accepted by a CFM. 
Cor. 13.91 ensures that any infinite path in (M, c) G Col has infinitely many color changes. 
We do not prove the converse (which is actually false), but will see later that sufficiently 
many colorings with this property belong to Col (Lemma I4.14p . 
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Figure 2: The second condition. 



Let M be an MSC and c : V — > {0, 1}. On V, we define an equivalence relation ~ 
setting u ~ w iff P(u) = P(w) and, for all v 6 V with (u < v < w or w < v < u) 
and P(u) = P(v), we have c(u) = c(v) = c(w) (i.e., a ^-equivalence class is a maximal 
monochromatic interval on a process line). 

Let Col be the set of all pairs (M, c) with c : V —?■ {0, 1} such that the following hold 

(1) if v is minimal on its process, then c(v) = 1, 

(2) if {v , v') € msg and w' < v' with P(w') = P(v'), then there exists (u,u') € msg with 
X(u') = X(v'), c(u) = c(u'), and u' ~ w' (implying X(u) = X(v)), 

(3) any equivalence class of ~ is finite. 

Figure [2] visualizes the second condition, on the left, we have the precondition while the right 
diagram indicates the conclusion. More precisely, in the precondition, we have a message 
(v , v') € msg from process p to process q and some node w' preceding v' on the same 
process. Recall that equivalence classes of ~ are intervals on process lines. The borders 
of the equivalence class containing w' are indicated. Then, by the conclusion, there is a 
message (u, v!) G msg from p to q such that v! belongs to the indicated equivalence class of 
~ (that also contains w') and the colors of u and v! are the same (which is not indicated). 
In general, there can be messages (u, u') € msg such that the colors of u and v! are 
different, i.e., c{u) ^ c(u'). The second condition ensures that there are "many" messages 
where the send and the receive event carry the same color. 

Proposition 3.7. There exists a CFM Aco\ that accepts the set Col. The CFM Aco\ has 
two messages and its number of local states is in 2 """ . 

Proof. Since the language Col consists of pairs (M, c) , any process p of a CFM with two 
messages executes a sequence of events from ((S p x {0, 1}) x {0, 1})°° (with T°° the set of 
finite and infinite words over T) where ((a, a), b) stands for a (a, a)-labeled event that sends 
or receives b. Our automaton .Acol will always send the current value of the mapping c, i.e., 
the set of control messages is {0, 1} and we will only execute events from 

T p = {((p\q, a),a)\qeV\ {p}, a e {0, 1}} U {((p?g, a),b)\q€V\ {p},a, b G {0, 1}}. 
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Having this in mind, consider for p £ V, B CP, and i £ {0, 1} the language L B i C r* with 
w £ L p B - iff 

• if ((p\q, a), a) occurs in w, then a = i, 

• if ((ptq, a), b) occurs in w, then a = i and q £ B, 

• for all q £ B, the letter ((p7q,i),i) occurs in w. 

Then L P B i is regular and can be accepted by a finite deterministic automaton B B i with 
2' B ' many states. We build the p-component A p of Aq i from the disjoint union of all these 
automata B B i - it therefore has 

BCV 

many states. More precisely, A p is obtained from this disjoint union by adding e-transitions 
from any accepting state of A B i to any initial state of A p c ■ iff B D C and i ^ j. The initial 
states of A p are the initial states of B B 1 . A finite run is accepting if it ends in some final 
state of one of the automata B B ., an infinite run is accepting if it takes infinitely many 
e-transitions. 

Note that a word ((pO n q n ,a n ),b n )o< n< N € 1^° is accepted by A p iff 

• a = 1 

• if 6 n = !, then a n = b n 

• if n = ? and m < n, then there exists A; S N with pOtqk = P^qn, &k = bk, and, for all £ 
in between m and A:, we have a m = ag = a^. 

Hence the CFM consisting of these components accepts the language Col. □ 

The index ind(u) of a node v £ V p is the maximal number of mutually non-equivalent 
nodes from V p below v. Note that c{v) = ind(v) mod 2 for all nodes v if the pair (M, c) 
satisfies (1) in the definition of the language Col. 

Lemma 3.8. Let (M,c) € Col. Then, for any (v,v') £ msg with ind(i>) < ind(V) ; we have 
c(v) ^ c(V). 

Proof. Suppose there is (v,v') £ msg with ind(v) < ind(V) but c(u) = c(v'). Since any 
element of M dominates a finite set, we can assume v' to be minimal with this problem. If 
ind(v) + 1 = ind(V), we are done since c(v) = ind(t> ) mod 2 ^ (ind(f ) + 1) mod 2 = c(v'). 
So let ind(u) + 1 < ind(V). Since (M, c) £ Col and ind(V) — 1 > ind(f) > 1, there exists 
(u,u') £ msg with A(n') = A(V), c(u) = c(n'), and ind(-u') = ind(v') — 1. In particular, 
u' < v' and therefore u < v. But then ind(-u) < ind(u). Now we have ind(n) < ind(f) < 
ind(V) — 1 = ind(n'), i.e., v! < v' is another counterexample to the statement of the lemma. 
But this contradicts the choice of v' . □ 

Corollary 3.9. Let (M,c) £ Col and let (vx,V2,- ■ ■) be some infinite path in M. Then 
there exist infinitely many i £ N with c(v{) ^ c(t>j+i). 

Proof. Since ind - (n) is finite for any n £ N, there are infinitely many i £ N with ind(-Uj) < 
ind(fj + i). If (v i, Vi + i) £ proc, then ind(uj + i) = ind(vj) + 1 and therefore c(vi) ^ c{vi + \). If, 
in the other case, (vi,Vi+\) £ msg, then by Lemma [378]. we get c(vi) ^ c(fj+i). □ 
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4. Translation of local formulas 

Let a be a local formula of PDL. We will construct a "small" CFM that accepts a pair 
(M, c) with M an MSC and c : V — > {0, 1} iff c is the characteristic function of the set of 
positions satisfying a, i.e., 

f 1 if M, v \= a 

c[v) = < 

I otherwise. 

To obtain this CFM, we will first construct another CFM that accepts (M, (c i s) / 3 gsu b( a )) iff, 
for all positions v G V and all subformulas f3 of a, we have M, v \= (3 iff cp{v) = 1. This 
CFM will consist of several CFMs running in conjunction, one for each subformula. For 
instance, if a £ £ and 5 = (3 V 7 are subformulas of a, then we will have sub-CFMs that 
check whether, for any position v, we have c a (v) = 1 iff X(v) = a and cs(v) = cp(v) Vc 7 (w), 
respectively. We first define these sub-CFMs for subformulas of the form a, (3 V 7, and -i/3. 

Example 4.1. For a G X, we define the CFM A a = ({m}, 1, (A p ) pe v,F) as follows: For 
pGP, let S p = {ip] and (l p , r, b, m, l p ) £ — >- p iff 

• r = a and b = 1 or 

• t ^ a and 6 = 0. 

Furthermore, F = {(/, p ) pg -p}. Then it is easily checked that (M,c) is accepted by A a iff 

VveV : X(v) = a ^> c(v) = 1. 

Example 4.2. Next we define a CFM Ay = ({m}, 3, (-4 p ) pe p, F): For p£?, let S p = {i p } 
and (i p ,T, (bi,b2,b3),m,L p ) £ — >- p iff 63 = 61 V 62- Furthermore, F = {(t p ) pG -p}. Then it is 
easily checked that (M, c) is accepted by Ay iff 

Vf G V : cs(v) = c\(v) V C2(v). 

The CFM ^1-, is defined similarly. 

Example 4.3. Next we define a CFM ,4 E = ({m}, 1, (^ p ) pg p,F): For p e V, let 5 p = 
{t p , s p } and — > p contain precisely (i p ,t, 0,m, i p ), (i p ,T,l,m,s p ), and (s p ,T,b,m,s p ) for all 
r € S p and b G {0, 1}. Furthermore, F is the set of tuples (f p ) P £p that contain at least one 
occurrence of s p . Hence the index of this CFM is the number of processes \V\. 

Then it is easily checked that (M, c) is accepted by ,4e iff there exists a node v with 
c(v) = 1. 

The CFM ,4a = ({ m }> 1) (•^p)pev, F) has again just one local state per process (and 
is therefore of index 1): For p € V, let S p = {l p }, —> p = {(t p ,T,l,m,i p )} \ r G S p }, and 

F = {(h)pev}- 

Then it is easily checked that (M, c) admits a run and is therefore accepted by ,4a iff 
c(v ) = 1 for all nodes v. 

4.1. The backward-path automaton. Let tt be a path expression, i.e., a regular expres- 
sion over the alphabet {proc, msg, {ai}, . . . , {a n }}- Replacing {aj} by i, we obtain a regular 
expression over the alphabet T = {proc, msg, 1,2,..., n}. Let L^ C T* be the language of 
this regular expression. 

A word over T together with a node from an MSC describes a path starting in that 
node that walks backwards. The letters proc and msg denote the direction of the path, the 
letters i denote requirements about the node currently visited (namely, that «j shall hold). 
This idea motivates the following definition: 
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Figure 3: Transitions of the CFM. 

Definition 4.4. For an MSC M , functions c\, . . . , Cn : V — > {0, 1}, a node v G V and a 
word W G T*, we define inductively (M, ci, . . . , c ra ), v \=~ l W: 

(M,d,...,c n ),v \=^ e 

(M,c\, . . . ,c n ),v \=~ procW <*=> there is v' = proc - (v) with (M, a, . . . , c n ),v' \=~ W 

(M,c\, . . . ,Cn),v \=~ 1 msgW <?=? there is v = msg -1 (v) with (M, c±, . . . ,c n ),v' \=^ 1 W 

(M,c 1 ,...,c n ),v^~ 1 iW ^ c l (v) = land(M,ci,...,c n ),v^- 1 W 



We easily verify that M,v \= (vr} _1 it iff there exists W E L w such that M, v \=~ x W . 

Let C = (Q,l,T,G) be a finite automaton over T recognizing L n . Note that we can 
assume \Q\ G 0(s(tt)). For q £ Q and VF G T*, we write q.W C Q for the set of states 
that can be reached from q reading the word W, and we denote by W.q C Q the set of 
states from which one can reach q when reading W. Furthermore, P.L = l^jp^pw^^P-W 
and L.P = Uvfgl p<=p W.p for P C Q and L C T* (if L (or P) is a singleton, then we may 
identify it with its unique element). 

Lemma 4.5. There exists a CFM A with sets of local states 2® and set of messages 
2® such that, for any run p of A on (M, c\, . . . , c n ) and any node v of M, we have 
p(v) = {q G Q | 3W G T* : q G W.G and M, v h" 1 W}. 



Proof To define the set of transitions, let A\, A 2 , A' 2 C 2^, and let 
S p x {0, l} n and N = {i G [n] \ b t = 1}. Then we set 



(<7,&1 



,b n ) 



G 



.4-, 



a, A!, 



^p^2 



iff the following conditions hold 

(1) if a is a send action, then A 2 = A' 2 = N*.G U iV* proc.^4i, 

(2) if a is a receive action, then A2 = N*.G U iV* proc. ^4 1 U N* msg.^- 

Here, A\ is the local state assumed before the execution of the (labeled) action a, A2 is the 
local state assumed afterwards, and A 2 is the message involved in this transition. Depending 
on whether a is a receive or a send action, the message is consumed by a or emitted by a. 
These two situations are visualized in Figure 

The local initial state is for any p G V and any tuple of local states is accepting. Now 
let (p, p) be a run of this CFM on (M, c\, . . . , c n ). 
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For v G V set N v = {i G [n] \ a{v) = 1} and M(v) = {W G T* | (M, a,..., c n ),v \=-* W}. 
Then it is easily verified that 

M(v) = N* U7V*procM(proc -1 (>)) UiV*msgM(msg _1 (?;)) . 

* v ' V v ' 

if proc - 1 (v) is defined if msg - 1 (v) is defined 

On the other hand, 

p(v) = N*.GU A?"*.proc.p(proc _1 (t;)) U A^*.msg.p(msg _1 (w)) . 
, ' > . ' 

if proc - 1 (v) is defined if msg -1 (?;) is defined 

Hence, by induction on the partial order (V, <), we have q G p(v) iff q G M(y).G. fj 

Theorem 4.6. Let (tt) a be a local formula such that tt is a regular expression over the 
alphabet {proc, msg, {«i}, . .., {a n }}. Then there exists a CFM A, \-i of index 1 with 
the following property: Let M be an MSC and let C{ : V — > {0, 1} be the characteristic 
function of the set of positions satisfying oci (for all i G [n + 1]) where a n +i = a. Then 
(M, ci, . . . , c n , Cn-fi, c) is accepted iff c is the characteristic function of the set of positions 
satisfying (tt)~ a. 

The CFM we construct has 2 v s WJ local states per process, 2 ' s ' 7r " many control mes- 
sages, and any tuple of local states is accepting (in particular, the CFM has index 1). 

Proof. Again, since M, v \= {tt)" a iff M,v \= (ir;{a})~ it, we will assume a = tt. The 
CFM Ai\-i a simulates the run (p, p,) of the CFM A from Lemma 14.51 and verifies that 
c(v) = 1 iff i G p(v) for all nodes v &V. Then we have 

c(v) = 1 -<=> i G p{v) 

^^ 3W G T* : i G W.G and M, u \=~ X W 

^^ 3W G L(C) = L n :M,v ^ _1 TF 

^^ ]lf£L i: M,D ^ VF 

«=> M,v |= (vr) _1 ft 

This concludes the proof of Theorem 14.61 □ 

4.2. The forward-path automaton. We now turn to a similar CFM corresponding to 
subformulas of the form {tt) tt. We will prove the following analog to Theorem 14.61 This 
proof will, however, be substantially more difficult. 

Theorem 4.7. Let L C Ch and let {tt) a be a local formula such that tt is a regular expression 
over the alphabet {proc, msg, {a\}, ..., {a n }}- Then there exists a CFM A^ a of index 1 
with the following property: Let M be an MSC with Inf (M) = I and let Ci : V — >• {0, 1} 
be the characteristic function of the set of positions satisfying ai (for all i G [n + 1]) where 
a n+ i = a. Then (M, c\, . . . ,c n , c n +i,c) is accepted iff c is the characteristic function of 
the set of positions satisfying (tt) a. The CFM we construct has 2°( S ( 7T ' + <' P '' local states per 
process and 2°^ s ^>> many control messages. 

The rest of this section is devoted to the proof of this theorem. Since M, v \= (tt) a iff 
M,v \= {tt; {a}) tt, we will assume a = tt, i.e., a holds true for any node of any MSC. 
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Let r = {proc, msg, 1, 2, . . . ,n}. If, in the regular expression n, we replace any oc- 
currence of {oti} by i, we obtain a regular expression over the alphabet T. Let L n C T* 
be the language denoted by this regular expression. Then there is a finite automaton 
C = (Q,l,T,G) over T with set of states Q, initial state t, set of transitions T, and set of 
final states G recognizing L w . Note that \Q\ £ 0(s(n)). 

A word over T together with a node from an MSC describe a path starting in that node 
walking forwards. The following is therefore the forward- version of Def. 14.41 

Definition 4.8. For an MSC M, functions c±, . . . , c n : V — > {0, 1}, a node v G V and a 
word W 6 f, we define inductively (M, c\, . . . , c n ),v \= W: 

(M,d,...,c n ),v \= e 

(M, c\ , . . . , c n ) , v \= proc W <^=> there exists v = proc(v) with (M, c\ , . . . , Cn), v \= W 

(M,ci, . . . ,c n ),v \= msg P^ <^=^ there exists v' = msg(u) with (M,c\, . . . , c n ),v' \= W 

(M,c 1: ...,Cn),v^=iW ^^ Ci(v) = 1 and (M,ci, . . . ,c n ),v \= W 

Now the following is immediate. 

Lemma 4.9. Let M be an MSC and, for i € [n], let Ci : V —> {0, 1} be the characteristic 
function of the set of positions satisfying on. Then M,v \= (vr) ft iff there exists W G L^ 
such that M,v \=W. 

Thus, in order to prove Theorem 14. 7\ it suffices to construct a CFM that accepts 
(M, ci,...,c n ,c) iff 

\/v £ V : c(v) = =^ VW £L n :{M, Cl ,...,c n ),v^W 

NiveV :c(v) = l =^ 3W £L n :(M, Cl ,...,c n ),v^W. 

Since the class of languages accepted by CFMs is closed under intersection, we can handle 
the two implications separately in the following two subsections. 

4.2.1. Any is justified. We construct a CFM that accepts (M, ci, . . . ,c n , c) iff, for any 
v G V with c(v) = 0, there does not exist W G L^ with (M, c\, . . . ,c n , c),v \= W. The 
basic idea is rather simple: whenever the CFM encounters a node v with c(v ) = 0, it will 
start the automaton C (that accepts L^) and check that it cannot reach an accepting state 
whatever path we choose starting in v. Since the CFM has to verify more than one 0, the 
set of local states S p equals 2®\ G with initial state i v = for any p G V . The set of control 
messages C equals 2®\ G , too. Furthermore, any tuple of local states is accepting. 

To define the set of transitions, let A±,A2 G S p and A' 2 G C. Moreover, let a = 
(o~,bi,...,b n ,b) G S p x {0, l} n+1 and N = {i G [n] \ bi = 1}. Then we have a transition 

A 1 — h p A 2 



iff the following conditions hold: 

(1) if 6 = 0, then l.N* C A 2 , 

(2) Ai.proc.JV* C A 2 , 

(3) if a is a receive action, then A' 2 .msg.N* C A 2 , 

(4) if a is a send action, then A' 2 = A 2 . 
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Lemma 4.10. Let (p, p) be a run of the above CFM on (M, ci, . . . , c n ,c) and let vq £ V 
with c(vq) = 0. Then there does not exist W £ L n with (M, ci, . . . , c n ), vq \= W . 

Proof. Suppose there is W £ L w with (M, c±, . . . , c n ),VQ \= W. Write W = woa\W\ . . . a n w m 
with a k G {proc, msg} and w k £ [n]* for all appropriate k. Since (M,ci, . . . ,c n ),VQ \= W, 
there exist nodes v k £ V with ^ +1 = afc + i(-Ufc) and w k Q N* k where N Vk = {i £ [n] 
Ci{vk) = !}• Since VF € L„-, there are states qi £ Q with go G <~W0) Qi+i £ ft-Oj+i^j+i; and 

Since c(wo) = 0, we have t.N* () C p(wo) by (1) and therefore qo £ l.wq C p(wo) by 
t«0 £ -W* () . By induction, assume k < m and q k G p(v k ). If Ofc+i = proc, then by (2) 
<?fc+i G 9fe-proc.A f * fc+i C p(v k+1 ). If a fc+ i = msg, then v k is a send event. Hence, by (4), 
p(v k ) = p(v k ). Since (v k ,v k+ i) G msg, this implies //(vfc+i) = p(v k ). Hence, by (3), g fc +i G 
/9(vfc).msg.A^* fc C /9(t;fc +1 ). This finishes the inductive argument. Hence q m G /o(f re ) l~l G, 
contradicting our definition S p = 2®\ . □ 

Lemma 4.11. Suppose (M, ci, . . . , c n , c) satisfies 

Vv€V:c(u) = =► VW€L ff :(Af,ci,...,c n ),t;^=W. 

T/ien (M, ci, . . . , c n , c) admits a run of the above CFM. 

Proof. For »gy, let iV„ = {z G [n] | q(w) = 1}. Then define p(v) to be the union of the 
following sets 

(a) l.N* if c(v) = 0, 

(b) p(proc -1 (i;)).proc../V* if proc^ 1 (f) is defined (i.e., iff is not minimal on its process), 

(c) p(msg _1 (i;)).msg../V* if msg -1 ^) is defined (i.e., if X(v) is a receive action). 
Furthermore, let 

J P( v ) ^ ^( v ) is a send action 

| / o(msg~ 1 (f)) otherwise. 

Then, for any v £ V, the transition conditions (1-4) are satisfied by the mappings p and p 
(recall that the local initial states are 0). 

Now, by contradiction, assume (p, p) is no run, i.e., there is some v q £ V with p(vq) £ 
2Q\G H ence there exists qo £ p(vq) fl G. Setting Wq = e, we therefore have 

(M, Cl ,...,c n ,c),v k \=W k , q k £ p(v k ), and q k .W k n G ^ (*) 

for k = 0. Now assume that (*) holds for some k > 0. 

First, assume c(vjt) = and % G <~iV* C p(vfe) because of (a). Hence, there exists 
w k £ N* with q k £ i.w k . But then (M, c±, . . . , c n , c), t>& |= w k W k and w k W k £ L n , a contra- 
diction. Hence we have % G p(ffe) because of (b) or (c). If q k £ /9(proc _1 (t>fc)).proc.iV* fe , then 
set v k+1 = proc _1 (fjfc) and choose g fe+ i G p(i>fc+i) and w k £ N* with q k £ q k+1 .proc.w k . 



Setting W k+ i = proc.w k .W k yields (*) for k + 1. If % € p(msg -1 (vfc)).msg../V'* , we can 
argue similarly. 

Hence we find an infinite sequence of nodes v q > v\ > V2 ■ ■ ■ which is impossible since 
vq dominates only a finite set. Thus, (p, p) is a run. □ 

Proposition 4.12. There exists a CFM Aq of index 1 that accepts (M, ci, . . . ,c n ,c) iff 

Vv£V:c{v)=0 =^ VW £L n :(M,c 1 ,...,c n ),v\£W. 

The number of local states per process as well as the number of messages are in 2°( s ( n >' . 
Furthermore, any run of the CFM is accepting. 
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Proof. The proof is immediate by the above two lemmas. □ 

4.2.2. Any 1 is justified. We next construct a CFM that accepts (M, c±, . . . , c n ,c) iff, for 
any v G V with c(v ) = 1, there exists W G L n with (M, c\, . . . , c n , c), v \= W. Again, the 
basic idea is simple: whenever the CFM encounters a node v with c(v) = 1, it will start the 
automaton C (that accepts L v ) and check that it can reach an accepting state along one 
of the possible paths. Thus, before, we had to prevent C from reaching an accepting state. 
This time, we have to ensure that any verification of a c(v) = 1 will eventually result in an 
accepting state being reached. For sequential Biichi-automata, solutions to this problem are 
known: collect some claims to be verified in one set and, only when all of them are verified, 
start verifying those claims that have been encountered during the previous verification 
phase. The resulting Buchi-automaton accepts iff the verification phase is changed infinitely 
often. We will adapt precisely this idea here. But then, the CFM would have to accept 
if, along each and every path, the verification phase changes infinitely often. This is the 
point where the CFM .Acol comes into play since, by Corollary 13.91 it verifies that any path 
runs through infinitely many color changes. Thus, we will first construct a CFM that runs 
on tuples (M, Co, ci, . . . , c n , c) where we assume that (M, cq) G Col. The actual CFM that 
verifies all claims c(v) = 1 will run this newly constructed CFM in conjunction with ^4coi 
(that verifies (M, Co) G Col) and project away the labeling cq. 

For any p G V, the set of local states S p equals 2^ x 2^ x {0, 1} with initial state 



; 



P 



(0,0, 1), the set of control messages C equals 2® x 2® x {0, 1}. 



To define the set of transitions, let (Ai,B\,di), (A 2 ,B 2 ,d 2 ) G S p and (A' 2 ,B' 2 ,d 2 ) G C. 
Furthermore, let a = (a, bo, 61, ... , 6 n , b) G T, p x {0, l} n+2 . Now we would like to define the 
conditions for the existence of a transition 

, , , a,(A'B'd') 

(Ai,Bi,di) 2 ' 2 ' 2 > P (A 2 ,B 2 ,d 2 ). 

We have to distinguish between a being a send or a receive event, cf. Figure |U For a = p\q 
the pair (Ai, B\) contains the in-going information whereas (^2> -B2) and (A' 2 , B' 2 ) carry the 
out-going information propagated along the process and the channel, respectively. On the 
other hand, for a = plq now both (A\,Bi) and (A' 2 ,B 2 ) contain the in-going information 
whereas the out-going information can be propagated along the process line only, hence, it 
is enclosed in (j42,-E>2) only Therefore, we put 

A[ n = Ai, A ont = A 2 U A 2 , B in = Bi, B out = B 2 U B 2 

whenever a is a send event and 

A[ n = Ai U A 2 , A ont = A 2 , B in = B\ U B 2 , B out = B 2 

whenever a is a receive event. 

Now the idea is the following: The CFM saves the actual color within its state and 
propagates it via the channel whenever a is a send. Whenever we stay within the same 
color (d 2 = d\ and, for a a receive, also d 2 = d 2 ) we propagate the states (from the finite 
automaton C) contained in A m to ^4 ut an d likewise from B m to -B ut- But whenever the 
color changes (d 2 ^ d\ or, for a a receive, d 2 ^ d' 2 ), we require the respective part of Ai n 
to be empty and all the information from the respective B m is swept to ^4 ut- Moreover, 
whenever a new 1 has to be verified we start C and collect the states obtained this way 
within -Bout- Now we formalize these ideas. 
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(A 2 , B 2 ,d 2 



(Ai,Si,di) (q\p 



p\q) (A 2 ,B 2 ,d 2 ) 



(A 2 , B 2 , d 2 




(Ai,Bi,di) 



?q) (A 2 ,B 2 ,d 2 ) 



Figure 4: Transitions of the CFM. 



Let N = {i G [n] \ b% = 1}. Recall that C = (Q,l,T,G) is the finite automaton 
recognizing L w . Then the transition above is defined iff the following conditions hold: 

(1) d 2 = bo and, if a is a send, then also d! 2 = bo, 

(2) if 6 = 1, then l.N* n(GU £ out ) / 0, 

(3) Vg G Ai : g.prociV* n(GU 4>ut) / 0, and, 

if a is a receive, then also Vq G A 2 : g.msgiV* fl(GU Amt) 7^ 0, 

(4) if d 2 = d ± , then Vg G Si : ^.prociV* n(GU £ ut) / 0, 

(5) if th^du then Ai = and V<? G 5i : g.prociV* fl(GU A out ) / 0, 

(6) if d 2 = d 2 and a is a receive, then Vq £ B' 2 : q.msg N* fl(GU -Bout) 7^ 0> 

(7) if d 2 / 4 and a is a receive, then A' 2 = and Vq € B' 2 : g.msg iV* n (G U A out ) / 0. 

Note that for a color change (cases (5) and (7)) the respective conditions in (3) become 
obsolete since A\ = and/or A 2 = 0. 

Recall that / is a set of channels and that we are only interested in MSCs that use 
precisely these channels infinitely often. Let (f p ) p€ p G ELe^ ^p ^ e accepting in A iff 
f p G {(0,0,0), (0,0, 1)} for all p G V that are not involved in any of the channels from /, 
i.e., that satisfy / n ({p} x V U V x {p}) = (note that a process p is not involved in any 
of the channels from I iff it is not involved in any of the channels used infinitely often iff p 
executes only finitely many events) . This finishes the construction of the CFM A of index 1 . 

Lemma 4.13. Let (p, p) be an accepting run of the above CFM A on (M, cq, Ci, . . . , c n , c) 
and suppose (M,cq) G Col and I C Inf(M). Then, for any vo G V with c(vq) = 1, there 
exists W G L w with (M, c\, . . . , c n ), vo \= W . 

Proof. For v G V, let p(v) = (A v ,B v ,d v ), p(v) = (A' v ,B' v ,d' v ), N v = {i G [n] | a(v) = 1}. 
Similarly as above, whenever A(i>) is a send event, we put 

A out (v) = A v U A' v , B ont (v) = B V UB' V , 

and whenever X(v) is a receive event, we put 



A out (v) = A v , B out (v) = B v . 

Since c(vo) = 1, (2) implies the existence of wo G N* and qo £ t-Wo H {G 
Now we define a finite or infinite sequence (vi,Wi,qi)o<i<N with JV G N U {w}, 
Wi G {proc, msg}iV*. for i > 1, and g, GQ such that the following hold for all < 

(a) (vj, Vj+i) G proc U msg, 

(b) ft £GU Amt(^) U B out (vi), 



U Bout). 

Ui G V, 

i<N: 
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r\ r- AT* A r- VI, J P IOC ^ fa, V i+1 ) £ TpTOC, 

(c) w i+ i G aN* and q i+1 G qi.w i+1 with a = < 

I msg otherwise, 

(d) if qi G A out (vi), then q i+1 G G U A out (f i+ i), 

(e) q t G G <^=> JV = * + 1 . 

Let us assume that the sequence has already been constructed up to index i. Then we 
proceed as follows: 
(i) If qi G G, then set N = i + 1 which finishes the construction of the sequence and 

implies (e) a posteriori for all < i < N. 
(ii) Suppose qi G A Vi \ G. Since A Vi ^ and since the run is accepting, the node Vi is not 
maximal on its process, so we can set Vi + \ = proc(wj). Then, by (3), we can choose 
w i+1 G prociV*. +1 and q i+1 G qi.w i+1 n(GU A out (-y i+ i)). 
(iii) Suppose qi G A on t(vi) \(GU A Vi ). Then V{ is a send event. Hence, Vi + \ = msg(t;j) 
is a well-defined receive event. Hence, by (3), there exist u>j+i G msg A* and 
q i+1 G qi-w i+1 n(GU A out (v i+1 )) such that (a) - (e) hold. 
(iv) Suppose qi G B Vi \(GU A out (vi)). Since B Vi ^ and since the run is accepting, the 
node Vi cannot be maximal on its process, i.e., Vi + \ = proc(vj) is well-defined. Then 

(a) if d Vi+1 = d Ui , by (4), %.prociV*. +1 n(GU B out (v i+1 )) / 0, and 

(b) if d Vi+1 ± d Vi , by (5), ft.proc A* +1 n(GU A out (v i+1 )) ^ 0. 

Hence we can choose Wi + \ G proc N* and qi + \ such that (a) - (e) hold. 
(v) Finally, suppose qi G B oui (vi) \(GU v4 ut(^j) U 5^) such that Vi is a send event, i.e., 
Vi + \ = msg(wj) is a well-defined receive event. Hence 

(a) if d Vi+1 = d' v . +1 , by (6), qi .msgN* i+1 n(GU B out (v l+1 )) ^ 0, and 

(b) if d Vi+1 + d' Vi+1 , by (7), qi.msgN* i+1 n(GU 4 ut fe + i)) / 0. 
Again, we can choose Wi + \ and qi + \ such that (a) - (e) hold. 

If the construction can be carried out ad infinitum, then set N = uj which, again, ensures 
(e) a posteriori for all i < N. 

Now suppose N = uj. Then, by Cor. 13.91 there exist < i < k with co(fj) ^ co(i>i+i) 
and co(ufe) ^ co{v k+ \). By (1), this implies d Vi ^ d Vi+1 whenever [vi,Vi + \) G proc or 
d' Vl+1 ¥" d Vi+ i whenever (vi,v i+ i) G msg. Similarly, d Vh / d Vk+1 for {v k ,v k+ i) G proc and 
d'v h+1 ¥" d Vk+1 for (v k ,v k+1 ) G msg. Let us assume (vi,v i+ i) G proc and (v k ,v k+1 ) G proc, 
i.e., d Vi / c^ i+1 and c4 fc / d Vfe+1 . Hence, by (5), we get A Vi = A Vh = 0. Since, by (e), 
qi ^ G, A^ = 0, and {vi,Vi + \) G proc, we get qi G #«. and, therefore, by case (iv)(b) of 
the construction above q^\ G A out (vi + i). Applying (e) and (d) inductively, this results in 
q k G A out (v k ). Since (v k ,v k+ i) G proc, we conclude by the construction (cases (ii) and (iii)) 
q k G A Vk \ G. But this contradicts A Vk = 0. For the other cases a contradiction is obtained 
similarly. Hence, A is finite. 

Certainly, (M, ci, . . . , c n ), Vjv-i |= £■ From (c), we obtain (M, ci, . . . , c n ), «at_2 |= wn-i 
and, by induction, (M, c\, . . . , c n ),vo \= W with W = wowi . . . itfjv-i- Since qo G l.wo, (c) 
implies qN~i £ l-W and therefore W G L^ follows from (e). □ 

Lemma 4.14. Suppose (M, ci, . . . , c n , c) satisfies 

VveV :c(v) = 1^3W eL n : {M,a, . . . ,c n ),v ^W 

and Inf (M) C /. Then there exists a mapping cq : V — > {0, 1} such that (M, cq) G Col and 
the above CFM A accepts (M, cq, ci, . . . , c n , c). 
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Proof. For any v G V with c(v) = 1, there exist < F G N, wjj G [n]*, tfj 1 G {proc,msg}[n]* 
for 1 < i < fc v , and q% G Q for < i < k v such that 

(a) q% G l.w v , q v i+1 G g^.< +1 for 1 < t < F, and q v kv G G 

(b) «g = v and, for < i < h\ v* = I pr ° C ^ * <+i 6 proc[n]* 

I msg(-Uj J it u; l+1 G msg|nj 

We define inductively a sequence of subsets of V: Let Hq = 0. Inductively, let H n+ \ C 
V \ Uo<i<n ^* ' 3e nonempty and finite such that 

(A) Uo<i<n+i H-i ls downwards closed in M, 

(B) for any v G V \ Uo<i<n+i H i with X ( v ) = P^l, 

(Bl) there exist infinitely many v' G V \ Uo<?.<n+i ^ with A(u) = A(V), 
(B2) there exist u, u' G H n+ \ with (u,u') G msg and A(V) = A(w), 

(C) for any v G i? n with c(v) = 1, we have v^ v G H n U H n+ \. 

Theny = U n > ^n. 

Now set, for t; G H n , 

• co(f) = n mod 2 and c^ = cq(v) 

• if v is a send event, then 

Av = {li I v G H n -i,c(v) = 1,0 < i < k v such that t> = v" and w^ +1 G proc[n]*} 
-B^, = {qf | u G H n ,c(y) = 1,0 < i < k v such that -u = t^ and «^ +1 G proc[n]*} 
A' v = {q% | U G H n -i,c(v) = 1,0 < i < k v such that v = v^ and io? +1 G msg[ra]*} 
B' v = {qV \ v G H n , c(y) = 1,0 < i < k v such that v = v\ and w^ +1 G msg[n]*} 
4 = c {v) 

• if d is a receive event, then 

A; = Uf I u G fln-i, c(v) = 1, < i < F such that w = vf} 
S„ = {gf | U G H n , c(v) = 1, < i < k ¥ such that v = vf} 
A' == A' 
R' = R' 

•u msg~ 1 (ti) 

d' — d' 

Then the pair of mappings (p, p) with p{v) = (A v ,B v ,d v ) and p(v) = (A' v ,B' v ,d' v ) is an 
accepting run of the CFM on (M, cq, c\, . . . , c n , c) and (M, cq) G Col. □ 

Proposition 4.15. Let I C Ch. There is a CFM Ai that accepts (M, c\, . . . ,c n , c) with 
Inf (M) = / iff 

VveV:c{v) = l =^ 3W £L w :(M, Cl ,...,c n ),v\=W. 

The number of local states per process is in 2 '' rp \+ s ( 7T )) and the number of messages is 

in2°( s W'. 

Proof. By Lemma [3.21 there exists a CFM B with the given number of states and messages 
that accepts (M, cq, c\, . . . , c n , c) iff it is accepted by ^4coi from Prop. [3771 and by the above 
CFM A, i.e., iff (M, cq) G Col, and (M, cq, c\, . . . , c n ,c) is accepted by A. Projecting away 
the function cq gives the CFM A\ by the above two lemmas. O 
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Proof (of Theorem I4.7J) . The result follows immediately from Propositions I4.12( 14.151 and 
Lemma 13.21 □ 



4.3. The overall construction. 

Theorem 4.16. Let I C Ch and let a be a local formula o/PDL. Then one can construct 
a CFM B of index 1 such that {M, (c / g) / g gsu b( a )) with Inf(M) = I is accepted by B iff 
eg : V —?■ {0, 1} is the characteristic function of the set of positions that satisfy (3 for all 
f3 € sub(a). 

With m the number of subformulas of the form (ir) 7 and (tv)~ 7 and n G N such that 
s(ir; 7) < n for all such subformulas, the number of local states per process is in 2 c, ( m ( n +l^ , l)) 
and the number of control messages is in *}y\ mn ) . 

Proof. The CFM B has to accept (M, (cB)g &su b( a )) iff 

(1) A a accepts (M,c a ) for all a £ sub(a) PI E (cf. Example 14. ip . 

(2) Ay accepts {M^-y^cs^c^s) for all 7 V 5 € sub(a) (cf. Example I4.2h . 

(3) A-, accepts (M,c^,c^^) for all -17 € sub(a) (cf. Example I4.2p . 

(4) A^y accepts (M, c ai , . . . , c an , Cj, c/^\ 7 ) for all (7r) 7 G sub(a) where ai, . . . , a n are those 
local formulas for which {c^} appears in the path expression tv (cf. Theorem 14. 7p . and 

(5) A^yi 1 accepts (M,c ai , . . . ,c an ,c 7 ,c <7r> -i 7 ) for all {ir)~ 7 G sub(a) where ai,...,a n 
are those local formulas for which {««} appears in the path expression ir (cf. Theo- 
rem H2]). 

Recall that the CFMs from (4) all have index 1, their number of local states per process 
is bounded by 2°( n+ l™- 1 , and their number of messages is bounded by 2°^ n ' . Hence, by 
Lemma 13. 2\ there exists a CFM of index 1 that checks all the requirements in (4) . Its 
number of states is in 

(m + 1). J] 2 (™+l p l) C (m + 1) • 2°^ n+ ™ 

{it) 7Gsub (a) 

q 2 0(m(n+\V\)) 

and the number of control messages belongs to 

TT 2 ° (s(7r)) C 2° {mn) . 

(7r)7Ssub(o) 

Any tuple of local states in any of the CFMs from (5) is accepting. Furthermore, any 
of them has 2°( n > local states per process and equally many messages. Hence there is a 
CFM with 2 \ mn < local states per process and equally many messages that checks all the 
requirements in (5). Furthermore, all tuples of states of this machine are accepting. 

Recall that the CFMs A a , Ay, and A^ have just one local state per process, i.e., they 
only restrict the labels (a, (bp) /3e su b(a)) allowed in M. Hence, without additional states 
or messages, one can change the above two CFMs into a CFM B of index 1 that checks 
(1)— (5). Its number of local states per process is in 2°( m ( nJr >' p >)> and its number of messages 
in 2 0( - mn \ □ 
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5. Translation of global formulas 

A basic global formula is a formula of the form Aa or Ea for a a local formula. Then 
global formulas are positive Boolean combinations of basic global formulas. 

Proposition 5.1. Let <p be a global formula and I C Ch. Then one can construct a CFM A 
that accepts M with Inf(M) = I iff M \= (p. 

With £ the number of basic global subformulas of ip, m the number of subformulas of 
the form (n) f3 and (tt)~ j3, and n £ N such that s(ir; f3) < n for all such subformulas, the 
number of local states per process is in 2 ( m (™+l' p l))+l' p l £ , the number of control messages is 
in 2°^ +mn > , and the index is at most \V e \. 

Proof. Let H be the set of basic global subformulas of ip. Let (3 = /\{a | Ea £ H or Aa £ 
H}. Using Proposition 13.31 one can construct a CFM that accepts (M, (c 7 ) 7esu t,(/3)) with 
Inf(M) = / iff 

• c 7 is the characteristic function of the set of positions satisfying 7 for all 7 £ sub(/3) 
(Thm. I416|) 

• M \= Aa for all Aa £ H (Example [O]) 

• M \= Ea for all Ea £ H (Example H3D . 

Recall that the CFM checking c 7 as well as those checking Aa all have index 1 while the 
CFM for Ea have index \V\. Hence the number of local states per process of the resulting 
CFM belongs to 1 + (\H\ + 1) • 2 0( - m ^ n+ \ v ^ ■ 2^ • \V\ m C 2 ( m (™+l^))+l^ , its number of 
messages is in 2 ;°( mn ) ) and its index is at most \V |. Let Ah denote the projection of this 
CFM to the set of MSCs (i.e., we project away the labelings c 7 ). Then Ah accepts an MSC 
M with Inf(M) = I iff M \= if> for all ip £ H. 

Now the CFM A is the disjoint union of at most 2 many CFMs of the form Ah- D 

Theorem 5.2. Let ip be a global formula of PDL. Then one can construct a CFM A that 
accepts M iff M (= ip. 

With £ the number of basic global subformulas of <p, m the number of subformulas of 
the form (ir) (3, and n £ N such that s(ir;/3) < n for all such subformulas, the number of 
local states per process is in 2 ( m ( n+ l 7> l)+l 7: '^+l 7, l ) and the number of control messages is in 

20(i+mn+\V\ 2 ) 



Proof. Let, for / C Ch, Ai denote the CFM from Prop. 15.11 and Bj that from Prop. 
Using Prop. 13. 3} one can construct a CFM Ci accepting L(Ai) n L(Bi). The number of 
local states per process of this CFM is 3 • 2°^ ■ 2°( m ( n +l? , l)+l^) . \T H \. 

Then the disjoint union A of all these CFMs Ci for / C Ch has all the desired properties. 

□ 



6. Model checking 

6.1. CFMs vs. PDL specifications. We aim at an algorithm that decides whether, given 
a global formula <p and a CFM A, every MSC M £ L{A) satisfies (p. The undecidability 
of this problem can be shown following, e.g., the proof in [MR04] (that paper deals with 
Lamport diagrams and a fragment LDo of PDL, but the proof ideas can be easily transferred 
to our setting). To gain decidability, we follow the successful approach of, e.g., [MM01, 
IGMSZ021lGKM06| . and restrict attention to existentially S-bounded MSCs from L(A). 
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For a finite or infinite word w £ S°° and a £ S, let |u;| a denote the number of occur- 
rences of a in u;. For < i < j < \w |, the infix w[i, j] is the factor of w starting in position i 
and ending in position j, i.e., w = uw[i,j] v with \u\ = i and \w[i, j]\ = j — i + 1. If |«;| > i, 
then we write u>(i) for w[i, i], the letter no. i + 1 inw (note that w(0) is the first letter of w). 

Let M = (V, <, A) be an MSC. A linearization of M is a linear order ^ D < on V of 
order type at most u (i.e., also with respect to -<, any node v £ V dominates a finite set). 
Since equally-labeled nodes of M are comparable, we can safely identify a linearization of 
M with a word from S°°. 

A word w £ S°° is B-bounded (where BeN) if, for any (p, g) € Ch and any finite 
prefix u of w, < |u| p !g — |u| g ? p < 5. An MSC M is existentially B-bounded if it admits a 
S-bounded linearization. Intuitively, this means that the MSC M can be scheduled in such 
a way that none of the channels (p, q) ever contains more than B pending messages. 

Lemma 6.1. A B-bounded word w £ S°° is a linearization of some MSC M iff, for any 
(p, q) £ Ch, any finite prefix of w can be extended to a finite prefix u of w such that 

(V \ U \p\q = \ U \q?p 0r 

(2) the last letter of u is p\q. 

Proof. First suppose that w is a linearization of some MSC. Then \w\ p \ q = \w\ q ? p . If this 
number is finite, we can extend any finite prefix to some finite prefix satisfying (1). Oth- 
erwise, any suffix contains at least one occurrence of p\q, so any prefix can be extended to 
some larger prefix ending with p\q. 

Conversely suppose that any finite prefix can be extended to a finite prefix satisfying 
(1) or (2). We construct from w an MSC as follows: 

• the set of nodes equals V = {v € N | v < \w\}, 

• for v € V let \(v) = w(v), 

• let (i,j) £ proc' iff < i < j < \w\ and there exists a process p G V with \(i), \(j) £ S p 
and, for all k with i < k < j and X(k) € S p , we have i = k, 

• let (i,j) € msg' iff i,jEV and there exists a channel (p,q) € Ch such that w(i) = p\q, 
w(j) = q?p, and |w[0,i]| p!g = \w[0,j]\ q ? p , 

• then set < = (msg' U proc')* C V 2 . 

Suppose (i,j) e msg' and j < i. Then \w[0, j]\ p \ q - \w[0, j]\ q ? p < \w[0,i]\ p \ q - \w[0, j]\ q ? p = 0, 
contradicting the .B-boundedness of w. Hence msg' and proc' are contained in < proving 
that ^ is a partial order on V. Since ^ is contained in the natural order < on the set of 
natural numbers V, the word wisa linearization of M = (V, ■<, A). It therefore remains to 
be shown that M is an MSC: 

• It is easily verified that msg = msg' and proc = proc' implying ^ = (msg U proc)*. 

• By the definition of proc', any two nodes i and j with P(i) = P(j) are ordered by ^. 

• Let (p, q) £ Ch be some channel. Since w is .B-bounded, we have \w\ p \ q > \w\ q ? p . Now 
suppose \w\p\q > \w\q7p. Then there are only finitely many occurrences of q?p; let u\ with 
l u i|p!q — l u i|q?p > be a finite prefix of w that contains all occurrences of q?p. Then 
by our assumption on w, we can extend u\ to a finite prefix U2 of w whose last letter is 
p\q. Hence l^lplg — |i*2 I<??j3 > |^i|p!q — |^i|q?p- Inductively, we find a finite prefix u with 
\ u \p\q ~ \ u \q?q > B, contradicting the S-boundedness of w. Hence |A _1 (p!g)| = \w\ p \ q = 
\ w \q7p = \^" 1 (q^p)\ which finishes the proof that (V, ^, A) is an MSC. 

□ 
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We next construct, from a CFM A = (C, (^4 p ) pg -p, F) and a bound B G N, a finite 
transition system over X with multiple Biichi-acceptance conditions that accepts the set of 
-B-bounded linearizations of MSCs from L(A): 

• A configuration is a tuple ((sp) p e-p,X> (Pil)) with the current local states s p G S p for all 
p G V, the channel contents x : Ch — >■ C* with |x(p'> </)| < 5 for all (p', q') G Ch, and the 
last active channel (p, q) G Ch. 

• The initial configuration is the tuple ((i p ) pg -p, x, {P-> l)) with x{p' ■> l') = e f° r an (p'> ?') G 
Ch, and where (p,q) G Ch is an arbitrary but fixed channel, i.e., the local machines are 
in their initial state and all channels are empty. 

• We have a transition 

(( s p)pe7 > 'X 1 '(P 1 ''? 1 )) ^ (( s p)peP>X 2 ,(pW)) 
for an action a G S p iff there exists a control message c G C such that 
(Tl) s^ -^p Sp is a transition of the local machine A v and s x q = s 2 , for q ^ p. 
(T2) Send events: if a = p\q, then x 2 {p,q) = X 1 ^*?) (i- e -> message c is inserted into 

the channel from p to g) and x 1 (p\ q') = X 2 {p\ Q r ) f° r (p'> ?') 7^ ip-> q) (i- e -> an other 

channels are unchanged) 
(T3) Receive events: if a = p?q, then x l {Q-,P) = c X 2 (,Q,p) (i- e -> message c is deleted from 

the channel from q to p) and X l W -,P') = X 2 (q',p') f° r (l\p') ¥" (,QjP) (i- e -> an other 

channels are unchanged) 
(T4) (p 2 ,q 2 ) is the channel that o writes to or reads from. 

A finite or infinite path ((s p ) p ^-p, x % -> {p % ■, Q l ))o<i<x (f° r some x G N U {oj}) in this transition 
system is successful if 

(51) there exists a tuple (/ p ) p6 -p € F such that, for all p £ V and < i < x, there exists 
i < j < x with Sp = / p and 

(52) for all (p, q) G Ch and < i < x, there exists z < j < x such that x J (p, g) = e or 
(pW) = (p,g). 

Lemma 6.2. Ze£ u; G S°°. Then the following are equivalent: 
(i) w is the label of some successful path in the above transition system. 
(ii) w is a B-bounded linearization of some MS C from L(A). 

Proof. To prove the implication (ii)=$-(i), let M = (V,^,X) G L(A) be an MSC accepted 
by A, let w G S°° be a i?-bounded linearization of M, and let (//,p) be a successful run 
of .4 on M. Without loss of generality, we can assume y = {-uGN|0<i;<|u>|} and 
■< C < such that u> is the sequence of labels of (V, <, A). For i = 0, let ((s p ), x\ (p Z j 9*)) be 
the initial configuration of the transition system. Now let i > 0. For p £ V, let s„ = t p if 
there is no < j < i with w(j) G S p ; otherwise set s p = p(j) for j the maximal natural 
number with j < i and w(j) G S p . For (p, q) G Ch, set x % {Pi l) = A*0'i) Mj'2) • • • M(ife) where 
< ji < j2 < • • • < jk < i is the sequence of those nodes from V with X(ji) = p\q and 
ms g(j^) > z (since w is B-bounded, we have < k < B). Finally, (p l , q l ) is the channel that 
the action w(i — 1) writes to or reads from. Then it can be checked that the sequence of these 
configurations ((s*),x\ {p % , Q l ))o<i<\w\ forms a unlabeled path in the transition system. We 
show that it is successful: 

(SI) Since (p, fx) is successful, there exists (/ p ) pg -p G F such that for all p G V and all v G V 
with \(v) G S p , there exists v ' G V with A(u') G S p , t; ^ t;', and p(v') = f p (or / p = t p 
if no such node v exists). Now let < i < \w\ and let v < i denote the maximal 
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natural number with w(v) £ S p (the case that no such number exists is left to the 

reader). Then there exists v' G V with X(v') € X p , v ^ v' , and p(v') = f p . Because of 

the maximality of v, we obtain i < v'. Furthermore, s?J +1 = p(f') = f p . 

(S2) Let < i < [u>|. Since u> is -B-bounded, the previous lemma implies the existence of 

i < j < |w| such that |to[0, j]| p ! g = \w[0, j]\ q ? p or the last letter of u;[0,j] is p\q. Hence 

X 3+1 (p,q) = e or (p j+1 ,q j+1 ) = (p,g). 

Conversely assume (%). Since all the channels in the transition system contain at most 

B messages, the word w is -B-bounded. Since the unlabeled path satisfies (S2), the word w 

is, by the previous lemma, a linearization of some MSC. Now, using (SI) it can be verified 

similarly to above that this MSC is accepted by A. □ 

Theorem 6.3. The following problem is PSPACE-complete: 

Input: B£N (given in unary), CFM B, and a global formula ip € PDL. 

Question: Is there an existentially B-bounded MSC M € L(B) with M \= p? 

Proof. Theorem 15.21 allows to build a CFM A v that accepts M iff M \= (p. From Proposi- 
tionQ we then obtain a CFM A with L(A) = L(B)r\L(A tp ), i.e., M £ L{A) iff Af G L{E) 
and M \= ip. To decide the existence of some existentially .B-bounded MSC in L(A), it suf- 
fices to decide whether the above transition system has some successful path. Recall that 
such a path has to simultaneously satisfy b = \V\ + |Ch| many Biichi-conditions. Extending 
the configurations of the transition system by a counter that counts up to b+1 allows to have 
just one Biichi-condition [Cho74]. Note that any configuration of the resulting transition 
system can be stored in space 

log(6) + \V\ log n + |Ch|51og \C\ + log |Ch| 

where C is the set of message contents of A and n is the maximal number of local states a 
process of A has. But due to Theorem 15.21 the size of the CFM Atp is exponential in the size 
of <p. By Proposition 13.31 A stays exponential in the size of the input. Hence, the model 
checking problem can be decided in polynomial space. 

The hardness result follows from PSPACE-hardness of LTL model checking. O 

6.2. HMSCs vs. PDL specifications. In [PelOOj . Peled provides a PSPACE model check- 
ing algorithm for high-level message sequence charts (HMSCs) against formulas of the logic 
TLC - . The logic TLC~ is a fragment of our logic PDL as can be shown easily. Now, we 
aim to model check an HMSC against a global formula of PDL, and, thereby, to generalize 
Peled's result. 

Definition 6.4. An HMSC % = (S,-^,s ,c,M) is a finite, directed graph (5, ->■) with 
initial node sq € S, A4 a finite set of finite MSCs, and a labeling function c : S — > M.. 

For defining the semantics of HMSCs we need a concatenation operation. Let M\ = 
(Vi,<i,Ai) and M2 = (V2,<2,A2) be two finite MSCs over the same process set V with 
disjoint node sets. Then M\M^ = (V, <, A) is given by V = V\ U V2, A = Ai U A2, and < is 
the least partial order containing <i U <2 and {(t>i,t>2) | v\ € V\,V2 € V2,P(vi) = P(v2)}- 
Informally, the events of M2 succeed the events of Mi for each process, respectively. 

Let T~L = (S, — >•, so, c,M) be an HMSC. Let r\ be a maximal path of (S 1 , — >) starting in 
so, i.e., either a path n = so —>■ s\ — >■ • • • — >• s n that ends in an s n E S such that there is 
no s E S with s n — > s or an infinite path 77 = sq — >■ s\ — > . . . . The labeling function c can 
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now be extended to paths by c{rj) = c(so)c(si) .... The MSC language of the HMSC H is 
now L{T-L) = {c(rj) \ rj is a maximal path starting in so}. Note that for any HMSC H the 
language L(H) is existentially -B-bounded for some BgN. Indeed, since any finite MSC 
M is existentially -Bjvf-bounded for some Bm G N, there is a -B-bounded linearization for 
every c(n) when B = hi&x{Bm \ M G A4}. 

Theorem 6.5. The following problem is PSPACE-complete: 
Input: An HMSC H and a global formula 92 G PDL. 
Question: Is there an MSC M G L(H) with M \= (p? 

Proof. Let H = (S, — >, sq,c, M) be an HMSC. For every s G 5 we can find a linearization 
of the finite MSC c(s). Now, it is easy to construct a finite (Biichi) automaton <S% that 
accepts a linearization for each and every MSC M G L(T-L), and, vice versa, each (finite or 
infinite) word accepted by S% is a linearization of an M G L{H). Note that the size of 5% 
is linear in the size of H. 

By Theorem E21 we can build a CFM Ap with M G L(Ap) ift M \= <p. From Ap and 
S-j-i (which is implicitly existentially -B-bounded for some B G N) we construct stepwise 
a transition system S by running A v and <S% simultaneously (cf. the construction before 
Lemma 16. 2p . The construction terminates because a run of Sy_ allows for B-bounded lin- 
earizations only. A run in S is successful if both projections of the run are successful. Now, 
S admits a successful run iff there is an existentially -B-bounded linearization wm of some 
M G L{T-L) n L{A,p) (where B is implicitly given by 1-L). An analysis similar to the one in 
the proof of Theorem 16.31 shows that the existence of a successful path of S can be decided 
in polynomial space. 

Again, the hardness result is an easy consequence of PSPACE-hardness of LTL model 
checking. □ 



7. PDL WITH INTERSECTION 

Several extensions of PDL have been considered in the literature that still come with 
positive decidability results [HKTOOl IGLL07J . Though these results were obtained in the 
different context of evaluating a formula over a Kripke structure, it is natural to ask if such 
extensions can be handled in our setting as well. We will study here PDL with intersection 
(iPDL, for short), which is the canonical adaption of the logic IPDL, as defined in [HKTOO , 
to our setting. In addition to the local formulas of PDL, we allow local formulas {n\ n ^2) a 
where tt\ and iT2 are path expressions and a is a local formula. The intended meaning is 
that there exist two paths described by ~k\ and -K2 respectively that both lead to the same 
node w where a holds. 

It is the aim of this section to prove that CFMs are too weak to check all properties 
expressed in iPDL. To show this result more easily, we also allow atomic propositions of the 
form (a, 6) with a,b G {0, 1}; they are evaluated over an MSC M = (V, <, A) together with a 
mapping c : V -)• {0, l} 2 . Then (M, c), v \= (a, b) iff c(v) = (a, b). Let V = {0, 1} be the set 
of processes. For m > 1, we first fix an MSC M m = (V m , <, A) for the remaining arguments: 
On process 0, it executes the sequence (0!l) m ((0?l)(0!l)) w . The sequence of events on 
process 1 is (1?0) ((1?0) (l!0)) w . In other words, process sends m messages to process 1 
and then acknowledges any message received from 1 immediately. Differently, process 1 has 
a buffer for two messages. After receiving message number k + 1, it acknowledges message 
number k. 
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Figure 5: MSC M4 and the mapping /. 

Let Eq\i denote the set of send-events of process 0. For the k th send-event v on process 
0, let f(v) = {{m — k) mod m, (k — 1) divm). Then / maps the set .Eon bijectively onto the 
grid G m = {0, 1, . . . , m — 1} X 00; we denote the inverse of / by g. Figure [5] shows MSC M4 
together with the mapping /. 

Lemma 7.1. There exists a local formula a of iPDL such that, for any m > 1 and any 

c:V m ^ {0, l} 2 satisfying c(g(i,j)) = (0,0) iff i = 0, we have (M m ,c) \= Aa iffc(g(i,j)) = 
c(g(i,j + i)) for all (i,j) G G m . 

Proof. Let (i,j) E G m . Then observe the following: 

• With 7Ti denoting the path description (proc; {(0?1)})*; proc; {(0!l)}, we have that M m ,g(i, j) \= 
{ni) P iff i > and M m ,g(i — l,j) \= j3, or % = and 
M m ,g(m-l,j + l)\=p. 

• With 7T2 denoting the path description msg; proc; msg; proc, we have M m , g(i, j) \= (^2) P 
iff M m , g{i + 1, j + 1) \= (3 whenever i < m — 1. 

As a consequence, we obtain 

• if i > 0, then M m ,g(i,j) (= <7n;7r 2 ) /9 iff M m ,g(i,j + 1) |= /3. 

Now let c : V^ — >• {0, l} 2 be a function with c(g(i,j)) = (0, 0) iff i = 0. Then we have 

(1) (M m ,c),g(i,j) \= ({-(0,0)};(7ri;7r 2 )*}/3iffi>0andthereexistsA;>0with(M m ,c),5(i,i+ 
k)\=P, 

(2) (M m ,c),g(i,j) h<(H0,0)};7ri)*;{(0,0)})^iff (M m ,c),g(0,j) HA 

(3) (M m ,c),g(0,j) \= <(7r 2 ;{-(0,0)})*)/3 iff there is < A; < m - 1 with (M m ,c),g(k,j + 

Now let vr 3 = ({-.(0,0)}; tti)*; {(0,0)}; {-k 2 ; {-(0,0)})* and vr 4 = {-(0,0)}; (ttx;^)*. Then, 
we have (M m , c),g(i,j) \= (^3 n ^4) /3 iff i > and (M m , c),g(i,j +i) \= j3. Now let 

a = ((0!1) A -i(0, 0)) -> /\ x o (7T 3 n vr 4 ) x . 

xe{o,i} 2 

Then, for all (i, j) £ G m , we have (M m ,c),g(i,j) \= a iff c(g(i,j)) = c(g(i,j + i)). D 
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Lemma 7.2. Let A = (C, 2, (Ap) p sv,F) be a CFM that accepts all labeled MSCs (M m ,c) 
with m > 1 such that 

(1) c(g(i,j)) = (0,0) iffi = 0, 

(2) c(g(i,j)) = c(g(i,j +«)) /or a,ZZ (i,j) G G m . 

TTien i/iene exist m > 1 and a labeled MSC (M m ,c) accepted by A, satisfying (1), and 
violating (2). 

Proof. Let ^4 P = (S* p , — )- p , i p ) for p = 0, 1, let m > 1 be such that |So| • |£i| • |C| m_1 < 

(m-l)(m-2) 

3 2 , and let M m = (V m ,<,\). Let furthermore if denote the set of mappings 
c : V m -> {0, l} 2 satisfying (1), (2), and c(u) = (1,1) for all i> g £ !i (*-e., A(v) ^ (0!l)). 
Then, for any c £ H, the pair (M m ,c) is accepted by .4 - let (p c ,p c ) be an accepting run 
of A on (M m ,c). 

Let v = g(m — 1, m — 2) and VF = {w E V | iu < v}. Then, for any event w € W with 
X(w) = 1!0, we have msg(u>) G W. On the other hand, there are precisely m — 1 events 
u>i, . . . ,w m -i G W with X(wi) = 0!l and msg(wj) ^ W. Let furthermore u G VF be the 
maximal event from process 1. 

Consider (M m ,ci) and (M m , C2) with ci,C2 G H and c\(g(i,j)) = C2(g(i,j)) for all 
< j < i < m. Then ci = C2 by (2). Hence |if | is the number of mappings from 

„ (m-l)(m-2) 

{{hi) I < j < i < m} to {0, l} 2 \ {(0,0)}, i.e.^3 2 . 

Since this number exceeds |5o| ■ \S\\ ■ \C\ m , there exist c\ and C2 with c\ 7^ C2 in hi 
with /o cl (u) = p C2 (-u), p Cl (u) = p C2 (u), and p Cl {w-i) = ^c 2 (u>i) for all 1 < i < m - 1. 

Now define a mapping c : V — > {0, l} 2 by c(x) = Ci(x) for x G W and c(x) = C2(x) for 
x ^ H^. Then, c satisfies (1) and violates (2). But (M m ,c) is accepted by A: An accepting 
run (p, /i) is defined (similarly to c) by 

/ s_\Pci{x) iorxeW n_JMc 1 (^) for x G W 

[ p C2 (x) otherwise ' [ p C2 (x) otherwise. 

D 

Theorem 7.3. There exists a local formula a of iPDL such that the set of MSCs M 
satisfying Aa cannot be accepted by a CFM. 

Proof. Let a be the local formula from Lemma 17. 11 Towards a contradiction, assume A is 
a CFM such that, for any pair (M, c), we have (M, c) |= Aa iff (M, c) is accepted by A. In 
particular, A accepts all pairs (M m ,c) satisfying (1) and (2) from Lemma 17.21 Hence there 
exists some pair (M m ,c) that is accepted by A, satisfies (1), and violates (2). But now, by 
Lemma 17. II again. (M m ,c) \= -Aa, contradicting our assumption on A. 

Using a new process 2, one can encode the mapping c by additional messages from 
processes and 1 to process 2. □ 



8. Open questions 

The semantics of every PDL formula ip is the behavior of a CFM A. Hence any PDL 
formula is equivalent to some formula from existential monadic second order, but a precise 
description of the expressive power of PDL is not known. Because of quantification over 
paths, it cannot be captured by first-order logic }DG04[ Prop. 14]. On the other hand, PDL 
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is closed under negation, hence PDL is a proper fragment of existential monadic second order 
logic. But it is not even clear that semantical membership of this fragment is decidablc. 

The decidability of the model checking problem for CFMs against MSO-formulas was 
shown in [GKM06J for existentially i3-bounded MSCs. For compositional MSCs (a mecha- 
nism for the description of sets of MSCs that is similar but more general than HMSCs) and 
MSO, the decidability of the model checking problem was established in [MM01]. Since the 
logic iPDL, i.e., PDL with intersection, can be translated effectively into an MSO-formula, 
the model checking problem is decidable for iPDL. However, the complexity of MSO model 
checking is non-elementary. Therefore, we would like to know if we can do any better for 
iPDL. 

In PDL, we can express properties of the past and of the future of an event by taking 
either a backward- or a forward-path in the graph of the MSC. We are not allowed to speak 
about a zig-zag-path where e.g. a mixed use of proc and proc -1 would be possible. It is an 
open question whether formulas of such a "mixed PDL" could be transformed to CFMs. 
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